The Rootkit Of All Evil?

A major label’s latest attempt to protect its music from music pirates has turned into a major problem for SONY BMG Music Entertainment– a problem that has sparked at least two class action suits, forced the label to recall CDs by as many as 50 artists, and may result in states bringing charges against the record label.

Sony’s problems started October 31st when computer security researcher Mark Russinovich posted an item on his blog detailing how he had discovered a “rootkit” on his computer.

Rootkits are generally employed to hide files and programs, and are usually used in tandem with Internet worms and other nasty computer viruses. Furthermore, rootkits can enable someone to take control of a machine without the owner’s permission. In short, a rootkit is malware.

And what’s Sony BMG’s connection to the rootkit Russinovich found on his computer? As Russinovich detailed on his blog, it turns out that the rootkit in question came from copy protection technology called XCP, which was created by United Kingdom company First 4 Internet and employed by Sony BMG on several recent releases, including one Russinovich had purchased one month earlier – Van Zant‘s “Get Right With The Man.”

But XCP does more than prevent unauthorized copying, for it also deposits hidden files on computers running Microsoft’s Windows operating systems, files that are extremely difficult to find and even more difficult to remove. As Russinovich found out when he tried to manually remove the files, only to discover his actions disabled his CD drive.

What’s more, the XCP copy protection program does this covertly.

There’s a word for programs placed on a computer without the owner’s permission, programs that function in a way unbeknownst to the user: spyware. Furthermore, some states, such as California, have laws prohibiting spyware. It’s conceivable that Sony could find itself in the legal cross-hairs of more than one state’s attorney general.

But Sony’s employing a technology that placed rootkits on computers was only part of the problem, for rootkits are generally used to hide files that allow a third party to gain control of the machine. And, as news of Sony’s blunder grew, so did the number of viruses suddenly appearing on the Net that took advantage of the XCP rootkit.

When news first surfaced, Sony BMG tried to minimize the damage by having its president of global digital business talk to the press. However, Thomas Hesse didn’t inspire too much consumer confidence when he appeared on National Public Radio’s “Morning Edition” and said, “Most people don’t even know what a rootkit is, so why should they care about it?”

That was November 4th. Now it appears just about everyone who buys CDs cares about it, and Sony is just now discovering music consumers aren’t all that crazy about virtually unremovable files on their computers.

As news of the rootkit spread, Sony issued a patch for removing the rootkit, but not the actual files placed on consumers’ computers. However, some security experts are saying the patch only worsened the problem.

“This is a surprisingly bad design from a security standpoint,” said Princeton University computer science professor Ed Felten, who, along with grad student J. Alex Halderman, explored the removal program issued by Sony. “It endangers users in several ways.”

That’s because, in order to get the uninstall program from Sony, users must fill out an online form. Once the form is submitted, it is the form that actually facilitates the download and installs a program that preps the computer for the actual rootkit removal. According to Felten, the program enabling the download does not confirm that the uninstall program should come from either Sony or First 4 Internet, thereby making the computer vulnerable to virus attacks.

“The consequences of the flaw are severe,” Felten and Halderman posted on a blog on November 15th. “It allows any Web page you visit to download, install, and run any code it likes on your computer. Any Web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.”

Sony has recalled the CDs embedded with the XCP antipiracy technology, and has released a list identifying which discs are affected. Included on that list are CDs by Neil Diamond, Our Lady Peace, Celine Dion and, of course, Van Zant.

It should be noted that not all copy-protected CDs use First 4 Internet’s technology, and consumers should not confuse First 4 Internet’s XCP copy protection methods with those employed by other antipiracy companies such as digital rights management company Sunncomm. In other words, read the label before you buy.

Sony BMG really dug itself a deep one this time, and it may be months before the label can crawl out of the mess caused by First 4 Internet’s XCP copy protection. Not only have two class action suits been filed, but there have been calls for a Sony boycott, consumer trust in Sony has been almost completely eradicated and there are now reports that some companies are considering prohibiting their employees from playing CDs in the workplace.

Plus, when you consider that government employees, including members of the military, might play CDs on their computers, Sony’s rootkit debacle is probably going to get a lot worse before it gets better. That is, if it gets better.

While not referring to Sony by name, Homeland Security assistant secretary for policy Stewart Baker did have some harsh words for labels that protect their music by installing hidden files on computers.

“It’s very important to remember that it’s your intellectual property, it’s not your computer,” Baker said during a conference on, ironically, intellectual property piracy. “And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.”

When you consider all the implications – making computers vulnerable to virus attacks, placing hidden files on consumers’ machines and generating more bad press in two weeks than most companies accrue in a lifetime – you’re probably wondering what the execs at Sony were thinking when they greenlighted First 4 Internet’s XCP copy protection technology.

Or maybe you’re wondering if they were thinking at all.